groove1

Thanks. Everything is set to update automatically. I think it may have somehow been transmitted over an unsecure wireless network with an infected pc on it. Won't do that again.

Malwarebytes' Anti-Malware 1.37 Database version: 2267 Windows 5.1.2600 Service Pack 3 6/12/2009 3:43:49 PM mbam-log-2009-06-12 (15-43-49).txt Scan type: Quick Scan Objects scanned: 119950 Time elapsed: 4 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Thx, Btw, that is from SnagIT which is another powerful program http://www.techsmith.com/screen-capture.asp Anyway, nothing found and that scan was very fast. I am going to assume I am ok but will wait to confirm. I know this thing could potentially have been bad so I am glad I found it quickly.

Sorry I didn't click "Upload" before.

Is this what I need to change and if so, what? Thanks.

Also, no problems that I know of; the backdoor.agent is not showing up on the MB or Symantec scans.

I went to update and it told me I was running the latest version but it appears to be the same: Malwarebytes' Anti-Malware 1.37 Database version: 2182 Windows 5.1.2600 Service Pack 3 6/12/2009 9:13:58 AM mbam-log-2009-06-12 (09-13-58).txt Scan type: Quick Scan Objects scanned: 115196 Time elapsed: 7 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

In the interim you can use the On Screen Board which is slower but cannot be record by key loggers. For XP go to Start > Accesories > Accesibilty > On Screen Keyboard. Use this when logging into websites and email accounts until you are sure they keylogger is removed.

It's so true. Buy a Mac already.

Sorry, I did not see an edit button. I just realized that I had done a system restore yesterday because when I first ran MB it showed the version as being 1.36. So I think I restored everything back to the day when I made the changes. Our deskiside support guy was here and changed some things, so I wanted to change them back. This was the same day the backdoor agent was found, so when I went back to restore it to that day, that may have been when it showed up again. Here is the scan after deleting and running the HJT in the previous post. Malwarebytes' Anti-Malware 1.37 Database version: 2182 Windows 5.1.2600 Service Pack 3 6/11/2009 10:53:01 AM mbam-log-2009-06-11 (10-53-01).txt Scan type: Quick Scan Objects scanned: 111672 Time elapsed: 4 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

A guy walks into a bar and says "Ouch".

MB detected this 3 days ago. I ran the scan yesterday and the day before and it was not there. Updated MB today, ran the scan and there it was again. Malwarebytes' Anti-Malware 1.37 Database version: 2182 Windows 5.1.2600 Service Pack 3 6/11/2009 9:03:51 AM mbam-log-2009-06-11 (09-03-51).txt Scan type: Quick Scan Objects scanned: 115761 Time elapsed: 4 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation (Backdoor.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:54:31 AM, on 6/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal HJT Log: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Smc.exe C:\Program Files\Symantec AntiVirus\SNAC.EXE C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe c:\altiris\aclient\aclient.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\SmcGui.exe C:\altiris\aclient\AClntUsr.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\RightFax\Client\English\FaxCtrl.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\FileBound\Viewer\FBViewerLauncher.exe C:\Program Files\Symantec AntiVirus\SymCorpUI.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compass-usa.com O15 - Trusted Zone: http://*.compassperformance.com O15 - Trusted Zone: http://*.ondemand.halogensoftware.com O15 - Trusted Zone: *.redcross.org O15 - Trusted Zone: *.compass-sales.com (HKLM) O15 - Trusted Zone: http://*.compass-usa.com (HKLM) O15 - Trusted Zone: *.compassperformance.com (HKLM) O15 - Trusted Zone: http://*.compassperformance.com (HKLM) O15 - Trusted Zone: fin.crothall.com (HKLM) O15 - Trusted Zone: http://fin.crothall.com (HKLM) O15 - Trusted Zone: teamchimes.crothall.com (HKLM) O15 - Trusted Zone: http://teamchimes.crothall.com (HKLM) O15 - Trusted Zone: teamops.crothall.com (HKLM) O15 - Trusted Zone: http://teamops.crothall.com (HKLM) O15 - Trusted Zone: http://crothall.fileburst.com (HKLM) O15 - Trusted Zone: *.halogensoftware.com (HKLM) O15 - Trusted IP range: 192.168.101.20 (HKLM) O15 - ESC Trusted Zone: http://www.wise.com O15 - ESC Trusted Zone: http://www.wise.com (HKLM) O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199306547204 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NA.compassgroup.corp O17 - HKLM\Software\..\Telephony: DomainName = NA.compassgroup.corp O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NA.compassgroup.corp O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - c:\altiris\aclient\aclient.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Update Service (gupdate1c9db22824e6082) (gupdate1c9db22824e6082) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe -- End of file - 9989 bytes

Malwarebytes founnd this on my PC Monday. I had run MB the day before and it wasn't there then. I deleted it right away. I didn't use my computer for anything personal in the interim. Is the pc safe? Sorry, I deleted the log but it was backdoor.agent in the registry key.

What they are syaing is they opened a video message from someone, it contained a fake download purported to be Adobe Flash, they tried downloading it and got the malware. This is actully I found out about MB. We did a dance performance at work and several people recorded the video. The next day I get a message on Facebook from a coworker saying that I look funny dancing in the video (which I did because it was a comedy dancee routine). So I dowloaded the 'software' and got koobface. It was just a real bad coincidence at that time. Symantec didn't stop and although it found it couldn't get rid of it. So i found Malwarbytes on CNET, downloaded the program, removed the koobface and eberything is fine. The other day I got a backdoor bug which MB found and Symantec did not. I got rid of that promptly too.